InCommon TAC Meeting 2024-02-22

Minutes

Attendees: Joanne Boomer, Andy Morgan, Grady Bailey, Jim VanLandeghem, Björn Mattsson, Derek Eiler, Mark Rank, Jeffrey Crawford, Matthew Economou, Marina Krenz

Reps from other Groups: John Bradley (CACTI), David Bantz (CTAB)

Staff / SME: Nicole Roy, Dave Shafer, IJ Kim, Ann West, Eric Goodman, Albert Wu, David Walker, Kevin Morooney

Scribes: Andy Morgan

Notes

Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework.

Public Content Notice - TAC minutes are public documents. Please let the TAC and note taker know if you plan to discuss something of a sensitive nature.

Call for scribe volunteers ( 2 per call)

Andy Morgan

Updates:

Nicole - working on Seamless Access discovery replacement stuff. New experience went live yesterday for I2 IAM platform stuff, federation-wide version is still in testing.
Authenticating proxy in front of the FM is now able to bind SSO sessions to client IP
Ann - Planning session last week, looking to report out to staff related to Future2 work. Next steps - chat about it at CommEX in 2 weeks.
CTAB liaison (Kathy) - (not present at TAC meeting)
CACTI liaison - we don’t think we have identified a liaison to CACTI… Joanne - does anyone want to volunteer? Arm-twisting will continue

Call for participation for TechEx Planning Committee (Joanne)

Joanne will be on the TechEx Planning Committee?
Grady says yes!
Jim VanLandeghem can be available if another person is needed

Futures 2 Updates (Kevin)

Presentation by Kevin. Core is steady but presentation is not. Working quickly still.
Act I - Present state stuff

InCommon curates software (CoManage, Grouper, Shibboleth, midPoint) and manages training, etc
InCommon gives guidance on connecting campus to cloud stuff like commercial and R&E - infrastructure, tools, policies, contracts (the trust federation)
Commercial vendors decide what goes in the cloud. Universities decides for R&E services.

Act 2 - The Context
- T (tech) - 1990-2000
- IT (infotech) 2000-2010
- I (info) 2010-

“Now that everything is digital, what is IT?”
“I and T and IT”
Today, it’s about extracting value from IT, T

Act 3 - The Report

Infographic as executive summary
Simplified to: knowledge and communication
Tying it together - Take what we do (in the present), extract new and different value, and do it like THIS
It’s time to establish a new trajectory, not just add salt to the dish
771 orgs, estimate 3 IAM people per org, 2313 total people
Not just advising InCommon, but advising the 2313 people
We don’t know enough now to make a hard turn to Where You Want To Be, but we can start making shifts and adjust to reach our goal.
What do we shift in this first year to begin to achieve our goal?

Questions?
- Through experimentation
- Marathon, not sprint
- Example, how could TAC better serve that army of 2313 people?
- Nicole - example: digital wallets, VC. We could do a pilot (experimentation)
- Kevin - coached competitive HS sports for a long time. Getting them to see themselves differently, and then they could achieve their goals. Requires experimentation. Risky proposition. We are proud of our current identity. Report is asking us to change our identity. You already kind of do these things.
- Kevin - Don’t be experimental about those operational things. 60% of report is about creating knowledge and disseminating it. Think about ourselves differently.
- Kevin - what you say is well-represented in the report. InCommon started as trust federation, didn’t mention IAM. This is a call for going to the other ends: campus and service providers
- Nicole - We’ve been able to engage agences, giving us bandwidth to look at new concepts.
- John - we need to take a leadership position because multilateral federations are new to everyone else.
- Kevin - this isn’t about doing one thing at the expense of the other. We will have to do what we’re doing.
- John - we can’t just keep publishing metadata. Why were we curating metadata? To establish trust.
- Albert - We need to articulate trust in a way that is independent of protocols. It’s about the concept of trust. Multi-lateral federation may not be the focus on campus. They are more focused on bi-lateral federation, but the trust is still needed.

How do we determine those slight course corrections?
What are the riskiest assumptions? Implicit assumptions?
Matthew - Experimentation might be finding out what doesn’t work. How do we give the community the runway to learn from the failures?
Mark Rank - How will those experiments be balanced with the operational capabilities InCommon currently does?
David Walker - Like driving a car to an event without a map. Liked that there was a dot for each year. Maybe the event is exactly where you thought it was either (the goal might change).
Albert - TAC has already done work in some of these areas - proxies. We haven’t helped much on the SP side, such as research.
Eric Goodman - What does the community need to do their IAM jobs vs the vision that InCommon has had historically? It feels like that has diverged. The work that I could get approval to do diverged from what InCommon was talking about. Find ways to test if what InCommon is working on aligns with the communities’ problems. Deployment Profile (saml2int) is an example.
John Bradley - While it may be true that there is stuff to pay attention in both directions, don’t take your eye off the ball of the core mission (trust fabric). People underestimate wallets - trust fabrics will be more important, not less. Login from A to B cannot be underestimated

Closing the loop on 2024 Work Plan (first half) (Albert)

If there are no objections, Albert will open the work plan to the public.
Albert will follow-up with the leads for each item regarding working groups
See no objections, the work plan is approved.

Email Updates

Browser Changes High Level Notes

From Judith Bush:

FedCM Working Group status: Heather shared

Yes, we are closer to a working group. W3C members have until Feb 29 to vote. So far, 13 have voted in favor, no objections, one abstention. The big players haven't voted yet at all. We're not anticipating any blockers. We have two chairs picked out: me and Wendy Selzter (used to be W3C staff, now consults with the DNS registry Tucows on identity issues.

SAML and FedCM: The 2024-02-06 notes from FedCM are rich reading https://github.com/fedidcg/meetings/blob/main/2024/2024-02-06-notes.md

Sam Goto of Chrome reported “SAML” was having third party cookies failures , “

Messages we are getting from SAML operators is that they are depending on 3P cookies
Feel like Authentication mechanism is one of the large number of services they provide
So we've been told SAML doesn't break with 3P Cookie Deprecation
But all the operators are coming back saying "no no it actually does break because of these auxiliary operations"

Speculation is that this is framed authentication. https://support.okta.com/help/s/article/FAQ-How-Blocking-Third-Party-Cookies-Can-Potentially-Impact-Your-Okta-Environment?language=en_US

Members of our community are trying to help educate about SAML but are probably not going to be able to show SAML breaking because not third party cookies.

Sam also describes FedCM as a “binding” for protocols like SAML and OIDC

There’s also a document https://github.com/fedidcg/FedCM/issues/536 that begins” By design, FedCM operates on a layer under userland identity protocols like OIDC/SAML.” I believe this document led to a beginning of conversations with the OAuth WG chairs and a plan to attend the OAuth Security Workshop in Rome in April: https://oauth.secworkshop.events/osw2024

International Updates

From Albert Wu:

REFEDS has published its official 2024 Work Plan: https://wiki.refeds.org/display/WOR/2024+Workplan. Working Groups have begun scheduling its meetings. If you are interested in participating in any of the groups, please see each group’s wiki for the latest call time/coordinates.

Next Meeting @ February 22, 2024

Page tree